Tags and Labels – Make Sense of Multi-Cloud, Hybrid, and On-Premises Networks in an Atomized Network World.
By William Toll, Sr. Director, Product Marketing
The post-pandemic speed at which new applications are being built, often by remote global teams, is orders of magnitude higher than the legacy world of the past. That speed and diversity extend to the tools and services they are using to build the applications and the networks they are connecting to and running in production.
These applications are being built across the Atomized Network – legacy, on-premises, hybrid, multi-cloud, edge, IoT and OT environments. The network perimeter has been atomized by decades of digital transformation, which means it has become dispersed, ephemeral, encrypted, and diverse. Infrastructure and appliances are being replaced by software and services at every point in the architecture of the applications. The requirements for scalability, performance, and cost optimization result in an incredible amount of application infrastructure being ephemeral.
Maintaining visibility into these applications and infrastructure is impossible without labeling and tagging everything. The primary function of tags and labels is to enable visibility, automation, and operational governance for the applications and infrastructure that an organization relies on. A modern tagging and labeling strategy will provide meta-level detail for applications and infrastructure and provide the context for: security and compliance requirements, application or device location, owner, capabilities and constraints, costs, and any other data that will be helpful for teams across the organization. Modern development and deployment models depend on tags and labels to enable automation and define deployments.
In summary, the context in labels and tags ensures security operations, CloudOps, and NetOps, FinOps analysts and administrators can access the visibility, control, and operational governance mechanisms for applications and infrastructure.
Strategies for taxonomy and tagging generally focus on two primary goals: operational and business. Tags are key: value pairs or simple metadata values (e.g., “web-server”, “database”) and are often synchronized across systems. Some platforms and configuration management tools like AWS, Kubernetes, and Chef can automatically generate their own tags. Almost all systems allow custom tags and labels.
Tags are not case-sensitive and different platforms have different rules on tag length, permitted characters and how they are formatted to represent the key:value pair.
Tags can be implemented in platform consoles or via the APIs that are used to manage and deploy infrastructure.
Tag and label types and samples:
Operations Tags ensure that the infrastructure, workload, application, constraints, security, SLA, and automation schemes are usable via automation and understandable by the teams responsible for security and operations. Sample operations tags and labels might include: Operational SLA: critical, high, medium, low or location or availability zone.
Business Tags enable more than just a FinOps approach to capturing usage and costs; these tags ensure that ownership, and administration, are clear and enable teams in a global 24/7 workforce to respond quickly and accurately to issues and audit requests. Sample business tags and labels might include the application owner and division owner, and some organizations include the name of the primary owner, like john-smith.
Security: Security tags are critical for analysts, incident responders, threat hunters, and others responsible for analyzing alerts and discovering and gaining context for indicators of compromise, and ensuring that security controls are visible and effective. Sample security tags and labels might include os, risk level, or security group.
Operational Governance and Regulatory Compliance: Tags in this category are often used to ensure that all controls and policies remain visible, reportable, and effective against the corporate, industry, or government policies and regulations that necessitated their need. Sample operational governance tags and labels might include policy name, control name, and compliance group e.g. (PCI) or regulatory groupe.g.. (GDPR or PII).
Infrastructure as Code, DevOps, DevSecOps, SecOps automation: Many of the modern infrastructure and security solutions deployed today are built on a foundation of automation, and they are configured to perform their actions based on tags and labels. Tags and labels enable scaling, workload optimization, risk management, and other architectural considerations to be automated. Sample automation tags and labels might include autoscale group, environment prod/test/dev, role: web, database, log, backup, vm-role, instance-number, instance-type.
CloudOps, Infrastructure Operations, and IT management resources: These teams ensure that SLA commitments, patching, and outage issues have the visibility and context needed when issues arise. A good resource tagging and labeling scheme is needed to respond quickly and effectively. Sample resource tags and labels might include agent version, external IP, OS family, OS version.
FinOps and Cost/Budgeting: Modern teams are consuming numerous cloud services and have automated their infrastructure to such a high degree that they can automate scaling up and down and tune their deployments to take advantage of flexible billing and cost-saving schemes like Amazon’s spot instances. Additionally, many organizations have complex chargeback requirements for investments in technology, and FinOps tags and labels make it easier to perform ROI calculations, budget and cost tracking. Sample FinOps tags and labels might include department, division, department code-code, application-name.
There are many great resources where you can learn more about tags and labels, and some of the best are the hyperscale cloud providers themselves. Here are links to the top level documentation from the big five.
AWS Tagging Best Practices:
Azure Naming and Tagging Strategy Guidance:
Google Network Tagging Documentation:
IBM Cloud Documentation on Using Tags:
Oracle Cloud Infrastructure Documentation on Tagging:
With Netography Fusion, you can ingest and keep your tags and labels in-sync from cloud providers (AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud), endpoints via integration with CrowdStrike Falcon and other systems via a CSV template and data in an S3 bucket. With tags and context labels, your Netography Fusion portal and interactions have more context and enable new use cases like policy-driven network security and visibility and faster onboarding of new analysts and responders to your teams.